AAMI01.28.16
Manufacturers need to proactively plan for and assess cybersecurity vulnerabilities once their devices have entered the market, according to draft guidance published by the Food and Drug Administration (FDA). In fact, the agency is urging manufacturers to not only share actionable information about potential threats with users and healthcare delivery organizations, but also with each other.
“The FDA is encouraging medical device manufacturers to take a proactive approach to cybersecurity management of their medical devices,” said Suzanne Schwartz, MD, associate director for science and strategic partnerships and acting director of emergency preparedness/operations and medical countermeasures for the FDA’s Center for Devices and Radiological Health, in a news release, “Only when we work collaboratively and openly in a trusted environment, will we be able to best protect patient safety and stay ahead of cybersecurity threats.”
According to the draft guidance—Postmarket Management of Cybersecurity in Medical Devices—sharing cyber risk information and intelligence within the medical device community is critical for developing a “proactive, rather than reactive, postmarket cybersecurity approach.”
The cost of failing to maintain cybersecurity throughout a device’s lifecycle is extremely high and can result in compromised device functionality, loss of medical or personal data, or exposure of other connected devices or networks to security threats, which could, in turn, potentially to result in patient illness, injury, or death, the FDA wrote in its guidance document.
“We are really not concerned about medical devices per se,” said one panelist at an FDA public cybersecurity workshop held Jan. 20-21. “What we really want is security within the healthcare ecosystem.”
To mitigate against potential harms, the FDA recommends implementing a structured, systematic cybersecurity risk management program, which involves:
The majority of the time, any actions manufacturers take to address cybersecurity vulnerabilities and exploits are considered “cybersecurity routine updates or patches” by the FDA, which means there is no need for advance notification or additional premarket review or reporting. However, any vulnerabilities or exploits that “compromise the essential clinical performance of a device and present a reasonable probability of serious adverse health consequences or death,” would require manufacturers to notify the FDA, according to the draft guidance.
The proposed guidance says that the FDA won’t enforce reporting requirements related to device vulnerabilities provided that the manufacturer acts in a way that sufficiently reduces the risk of patient harm, and if certain conditions are met. These conditions include:
ISAOs are communities formed to promote information sharing among private- and public-sector members. President Obama encouraged the development of cybersecurity ISAOs in his Feb. 13, 2015 executive order on cybersecurity information sharing. A key feature of these organizations is that any information shared "is shielded from any release otherwise required by the Freedom of Information Act or State Sunshine Laws and is exempt from regulatory use and civil litigation if the information satisfies the requirements of the Critical Infrastructure Information Act of 2002," according to the draft guidance.
“The agency considers voluntary participation in an ISAO a critical component of a medical device manufacturer’s comprehensive proactive approach to management of postmarket cybersecurity threats and vulnerabilities and a significant step towards assuring the ongoing safety and effectiveness of marketed medical devices,” the FDA stated. To that end, the FDA has formalized an agreement with the National Health Information Sharing and Analysis Center to encourage information sharing about cybersecurity threats.
Allan Friedman summed it up succinctly at the FDA’s cybersecurity workshop—“The government isn’t going to tell you what to do, but it is going to encourage you to talk.” Friedman is the director of cybersecurity initiatives at the U.S. Department of Commerce’s National Telecommunications and Information Administration.
The FDA is encouraging stakeholders to comment on the draft guidance until April 21, 2016. Comments can be submitted through regulations.gov.
“The FDA is encouraging medical device manufacturers to take a proactive approach to cybersecurity management of their medical devices,” said Suzanne Schwartz, MD, associate director for science and strategic partnerships and acting director of emergency preparedness/operations and medical countermeasures for the FDA’s Center for Devices and Radiological Health, in a news release, “Only when we work collaboratively and openly in a trusted environment, will we be able to best protect patient safety and stay ahead of cybersecurity threats.”
According to the draft guidance—Postmarket Management of Cybersecurity in Medical Devices—sharing cyber risk information and intelligence within the medical device community is critical for developing a “proactive, rather than reactive, postmarket cybersecurity approach.”
The cost of failing to maintain cybersecurity throughout a device’s lifecycle is extremely high and can result in compromised device functionality, loss of medical or personal data, or exposure of other connected devices or networks to security threats, which could, in turn, potentially to result in patient illness, injury, or death, the FDA wrote in its guidance document.
“We are really not concerned about medical devices per se,” said one panelist at an FDA public cybersecurity workshop held Jan. 20-21. “What we really want is security within the healthcare ecosystem.”
To mitigate against potential harms, the FDA recommends implementing a structured, systematic cybersecurity risk management program, which involves:
- Incorporating the core principles of the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity—identify, protect, detect, respond, and recover.
- Monitoring cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risks.
- Understanding, assessing, and detecting the presence and impact of a vulnerability.
- Establishing and communicating processes for vulnerability intake and handling.
- Clearly defining essential clinical performance to develop mitigations that protect, respond, and recover from a cybersecurity risk.
- Adopting a coordinated vulnerability disclosure policy and practice.
- Deploying mitigations that address cybersecurity risk early and prior to exploitation.
The majority of the time, any actions manufacturers take to address cybersecurity vulnerabilities and exploits are considered “cybersecurity routine updates or patches” by the FDA, which means there is no need for advance notification or additional premarket review or reporting. However, any vulnerabilities or exploits that “compromise the essential clinical performance of a device and present a reasonable probability of serious adverse health consequences or death,” would require manufacturers to notify the FDA, according to the draft guidance.
The proposed guidance says that the FDA won’t enforce reporting requirements related to device vulnerabilities provided that the manufacturer acts in a way that sufficiently reduces the risk of patient harm, and if certain conditions are met. These conditions include:
- No serious adverse events or deaths are associated with the vulnerability.
- The manufacturer notifies users and implements changes that reduce the risk to an acceptable level within 30 days of learning about the vulnerability.
- The manufacturer is a participating member of an information sharing and analysis organization (ISAO) and reports the vulnerability, its assessment, and remediation to the group.
ISAOs are communities formed to promote information sharing among private- and public-sector members. President Obama encouraged the development of cybersecurity ISAOs in his Feb. 13, 2015 executive order on cybersecurity information sharing. A key feature of these organizations is that any information shared "is shielded from any release otherwise required by the Freedom of Information Act or State Sunshine Laws and is exempt from regulatory use and civil litigation if the information satisfies the requirements of the Critical Infrastructure Information Act of 2002," according to the draft guidance.
“The agency considers voluntary participation in an ISAO a critical component of a medical device manufacturer’s comprehensive proactive approach to management of postmarket cybersecurity threats and vulnerabilities and a significant step towards assuring the ongoing safety and effectiveness of marketed medical devices,” the FDA stated. To that end, the FDA has formalized an agreement with the National Health Information Sharing and Analysis Center to encourage information sharing about cybersecurity threats.
Allan Friedman summed it up succinctly at the FDA’s cybersecurity workshop—“The government isn’t going to tell you what to do, but it is going to encourage you to talk.” Friedman is the director of cybersecurity initiatives at the U.S. Department of Commerce’s National Telecommunications and Information Administration.
The FDA is encouraging stakeholders to comment on the draft guidance until April 21, 2016. Comments can be submitted through regulations.gov.